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DETAILED ACTION 

Claim 32 is cancelled by Applicant. 
Claims 1-31 and 33-36 are amended. 
Claims 1-31 and 33-36 are herein considered. 

Continued Examination Under 37 CFR 1. 114 

A request for continued examination under 37 CFR 1 .1 14, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
February 1 , 2006 has been entered. 

Response to Arguments 

Applicant's arguments filed February 2, 2006 have been fully considered but they 
are not persuasive. 

Applicant's arguments concerning the Examiner's rejections of claims 1-10 as 
being directed to non-statutory subject matter are considered but no persuasive. The 
result of claim 1 is an analysis, and until that analysis is user and made available it 
merely comprises a process within a processor without a tangible result. For these 
reasons, those 35 USC 101 rejections presented in the Examiner's previous office 
actions are maintained and repeated below. 
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Applicant's arguments concerning claim 1 and Nerurkar's alleged failure to 
describe a computer-implemented method of any type are considered but not 
persuasive. The Applicant cites a number of comments made by the Examiner in the 
previous office action including information concerning the title of the article, where it 
was found and the job description of Nerurkar as an associate of the Software Concept 
Library in order to provide additional support for the claim that Nerurkar does in fact 
disclose software utilizing the Onion Peel Model as described. The Examiner would like 
to note that although this information was cited, it was not the only information cited in 
support of the Examiner's rejections. The Examiner also pointed to specific sections of 
the article wherein it is stated that 'the need to include security as one of the concerns in 
the functional analysis and design of the software itself providing sufficient support that 
Nerurkar's model is to be designed into software. The Examiner would also like to point 
to additional sections within Nerurkar's article, those that concern product development 
(page 50 column 1) and the capabilities of the model including handling distributed 
applications and providing maintainability and scalability for systems (page 56 column 
3). From this information, as well as the remaining sections of the article that although 
not specifically mentioned are included as part of the Examiner's prior art rejection, the 
Examiner contends that Nerurkar does in fact anticipate each and every element of 
claim 1, enabling the invention as recited in the claim. 

Applicant's remaining arguments concerning claim 1 fail to comply with 37 
CFR 1.111 (b) because they amount to a general allegation that the claims define a 
patentable invention without specifically pointing out how the language of the claims 
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patentably distinguishes them from the references. The Examiner has already pointed 
out those sections of Nerurkar which disclose the limitations of claim 1 . Applicant's 
arguments do not comply with 37 CFR 1 . 1 1 1 (c) because they do not clearly point .out 
the patentable novelty which he or she thinks the claims present in view of the state of 
the art disclosed by the references cited or the objections made. Further, they do not 
show how the amendments avoid such references or objections. 

In response to the Applicant's arguments concerning claims 2-10 and Nerurkar's 
failure to recite the additional features thereof, the Examiner respectfully disagrees. 

The Applicant's arguments concerning claim 5 and Nerurkar's failure to teach 
wherein particular components are selected and displayed along with other similar 
potential security threats are respectfully disagreed with. The Applicant contends that 
the partitioning based upon the similarities and natures of the security concern are not 
equivalent to the partitioning done by the instant application because they are not done 
in response to something being selected. The Examiner disagrees as it seems logical 
that the diagram can only be created by the specific selection of each of the security 
concerns followed by a careful consideration of the remaining concerns so that they 
may be placed in categories appropriate in relation. Each component must be selected 
before being placed within the diagram. 

The Applicant's arguments concerning claim 6 and Nerurkar's failure to teach 
wherein particular components are selected and displayed along with other similar 
potential security threats are respectfully disagreed with. The Applicant contends that 
the partitioning based upon the similarities and natures of the security concern are not 
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equivalent to the partitioning done by the instant application because they are not done 
in response to something being selected. The Examiner disagrees as it seems logical 
that the diagram can only be created by the specific selection of each of the security 
concerns followed by a careful consideration of the remaining concerns so that they 
may be placed in categories appropriate in relation. Each component must be selected 
before being placed within the diagram. 

The Applicant's arguments for claims 1 1 , 21 , and 31 refer back to those for claim 
1 , and are rejected forthe same reasons as given above in regards to claim 1 . Note: 
Although page 19 of the Applicant's remarks refers to Claim 31, the Examiner believes 
that the Applicant erred and rather meant to discuss claim 21 considering the sequential 
nature of the remaining claims and the fact that claim 31 is discussed in subsequent 
pages. 

The Applicant's arguments for claims 12-20, 22-30, and 32-36 rely upon the 
withdrawal of the rejection of claims 11, 21 and 31 which have been declined, and so 
remain rejected for the same reasons. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. The language of the claim raises a question as 
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to whether the claim is directed merely to a method that is not tied to a technological art, 
environment, or machine which would result in a practical application producing a 
concrete, useful, and tangible result to form the basis of statutory subject matter under 
35U.S.C. 101. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 

Claims 1-36 are rejected under 35 U.S.C. 102(a) as being anticipated by 
"Security Analysis & Design" by Uttara Nerurkar, hereinafter referred to as 
Nerurkar. 

As per claim 1, Nerurkar discloses in a computer system, a method for providing 
application security threat-modeling, the method comprising providing class definitions 
for a plurality of model (software and hardware) components (peels) to represent 
respective elements of an application (pg.50 col. 3 par.4), each model component 
specifying a set of security threats categories potentially applicable to the component 
(security concerns) (pg.50 col. 2 par.2); responsive to user input, interconnecting at 
least a subset of the model components to form a logical model ("onion diagram") of the 
application (pg.52 col.1 par.1); and automatically analyzing the at least a subset of 
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model components and respective interconnections to identify a set of potential security 
threats corresponding to the at least a subset, the potential security threats being 
associated with one or more of the security threat categories (pg.52 col.1 par.3; pg.54 
col.1 par.3). 

As per claim 2, Nerurkar discloses the method of claim 1 , wherein the model 
components comprise a module, a port, a store, or a wire (network cabling) (pg.50 col. 3 
par.4). 

As per claim 3, Nerurkar discloses the method of claim 1 , wherein the security 
threats categories comprise at least one subset of authentication (IA), authorization 
(AZ), auditing (00), privacy, integrity (00), availability, and non-repudiation (pg.56 col.1 
par.3) 

As per claim 4, Nerurkar discloses the method of claim 1 , wherein providing the 
class definitions further comprises determining the security threat categories based on 
functionality of the component with respect to the application (use of objects, in the 
zone) (pg.50 col. 2 par.2). 

As per claim 5, Nerurkar discloses the method of claim 1 , wherein analyzing 
further comprises responsive to selection of a particular component of the model 
components displaying each other component of the at least a subset that comprise at 
least a subset of similar potential security threat categories as the particular component 
(partition based on the similarity and nature of security concerns of the components) 
(pg.52 col.1 par3). 
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As per claim 6, Nerurkar discloses the method of claim 1 , wherein analyzing 
further comprises responsive to selection of a particular component of the at least a 
subset, automatically displaying each other component of the at least a subset that 
comprises at least a subset of similar addressed security threats as the particular 
component (pg.56 col.2 par.4). 

As per claim 7, Nerurkar discloses the method of claim 1 , wherein analyzing 
further comprises providing for the selection of a particular threat associated with the 
security threat categories to indicate that the particular threat requires a threat mitigating 
implementation in a particular model component of the at least a subset (pg.50 col.3 
par.1; pg.56 col.2 par.2). 

As per claim 8, Nerurkar discloses the method of claim 7, wherein providing for 
the selection of the particular threat further comprises identifying a priority of the threat 
mitigating implementation (decompose into sets consisting of objects requiring similar 
levels of security) (pg. 54 col. 1 par.3). 

As per claim 9, Nerurkar discloses the method of claim 7, wherein providing for 
the selection of the particular threat further comprises identifying a desired level of 
strength of (control) technology with which to mitigate the particular threat (pg.56 col.2 
par.2). 

As per claim 10, Neruarkar discloses the method of claim 7, wherein providing 
for selection of the particular threat further comprises presenting information associated 
with a particular technology (design and choose countermeasures based on coverage 
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and costs) with which to mitigate the one or more potential threats in a physical 
implementation of the application (pg.50 col. 3 par.1). 

Claims 11-20 are directed towards a software implementation of the method of 
claims 1-10 and are rejected by a similar rationale. 

Claims 21-30 are directed towards a computer system implementing the method 
of claims 1-10 and are rejected by a similar rationale. 

Claim 31-33 are directed to a user interface comprising means for the 
implementation of the method of claims 1-3 and.are rejected by a similar rationale. 

Claim 34-36 are directed to a user interface comprising means for the 
implementation of the method of claims 8-10 and are rejected by a similar rationale. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tamara Teslovich whose telephone number is (571) 

272- 4241. The examiner can normally be reached on Mon-Fri 8-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 



Application/Control Number: 09/927,427 



Page 10 



Art Unit: 2137 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 




